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Abstract. After Mayers (1996, 2001) gave a proof of the security of the Bennett- 
Brassard 1984 (BB84) quantum key distribution protocol, Shor and Preskill (2000) 
made a remarkable observation that a Calderbank-Shor-Steane (CSS) code had been 
implicitly used in the BB84 protocol, and suggested its security could be proved by 
bounding the fidelity, say F n , of the incorporated CSS code of length n in the form 
1 — F n < exp[— nE + o(n)] for some positive number E. This work presents such a 
number E = E(R) as a function of the rate of codes R, and a threshold Rq such that 
E(R) > whenever R < Rq, which is larger than the achievable rate based on the 
Gilbert- Varshamov bound that is essentially due to Shor and Preskill (2000). The 
codes in the present work are robust against fluctuations of channel parameters, which 
fact is needed to establish the security rigorously and was not proved for rates above 
the Gilbert- Varshamov rate before in the literature. As a byproduct, the security of a 
modified BB84 protocol against any joint (coherent) attacks is proved quantitatively. 
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1. Introduction 

The security of quantum key distribution (QKD), the aim of which is to share a random 
secret string of digits between two parties, has been said to rest on the principle of 
quantum mechanics since the time of its proposal pQ. However, proofs of the security 
against a reasonably wide class of attacks were obtained only recently on the first QKD 
protocol, which uses Wiesner's idea of conjugate coding 'Z\ and is called the Bennett- 
Brassard 1984 (BB84) protocol pQ. Since a preliminary report on such a proof of the 
security of the scheme was given by Mayers there have been considerable efforts 
to refine, strengthen or support this result in the literature (e.g., [H El HI El Ej)- 
Especially, Shor and Preskill [6j (see also Section III]) made a remarkable observation 
that a Calderbank-Shor-Steane (CSS) quantum code had been implicitly used in the 
BB84 protocol, and suggested if the fidelity, say F n , of the incorporated Calderbank- 
Shor-Steane code [TUl [TTJ goes to unity exponentially as the code-length n grows large, 
viz., 1 — F n < exp[— nE + o(n)} for some positive number E, then the security of the 
BB84 protocol will be ensured in the sense that the mutual information between the 
shared key and the data obtained by the eavesdropper is less than exp[— nE + o{n)}. 
However, no one seems to have given such an exponent E for CSS codes explicitly in the 
literature. Thus, this paper is concerned with the problem of finding such an exponent 
E(R) as an explicit function of the rate R of CSS codes. 

The proviso for the security proof in this paper is as follows: In the main text, we 
assume that the possible eavesdropper tries to obtain data by performing an identical 
measurement on each 'particle' (what is really meant is the ci-level quantum system 
carrying a digit from {0, . . . , d — 1}, which is typically assumed to be the polarization 
of a photon, a two- level system); the two legitimate participants of the protocol can 
communicate with each other by means of a classical noiseless 'public channel' that may 
be susceptible to passive eavesdropping but is free of tampering; we adopt the formalism 
developed by Kraus and others to describe measurements (e.g., [TJl EH El H3 dl)- 
We assume the so-called individual-attack assumption as mentioned above in order to 
discuss trade-offs between the level of attacks (including noises) and the allowed rates of 
transmission of the key; without such an assumption, the level of attacks (often called 
error rates) could not be properly defined for this purpose. After this tractable case 
is worked out, the security of a modified BB84 protocol against any joint (coherent) 
attacks is proved quantitatively in |Appendix C| 

Among others, it is proved that a code of 'balanced weight spectrum', i.e., a code 
whose weight distribution is almost proportional to the binomial coefficients (when 
d = 2) attains the desired fidelity bound. This would show the direction to designers of 
codes for QKD. The code is robust against fluctuations of channel parameters, which 
is needed to complete the proof of the security rigorously for rates beyond the Gilbert- 
Varshamov one even in the case of individual attacks. The channel parameters have to 
be estimated by the participants of the BB84 to assess the level of eavesdropping, and 
the robustness is necessary because the estimated channel parameters are not exactly 



Reliability of CSS Codes and Security of Quantum Key Distribution 



3 



equal to the true ones in general. The robustness issue will be resolved by utilizing the 
idea of universal codes f7[ QB] i n information theory. A universal code means one whose 
structure does not depend on the channel characteristics. 

The CSS codes form a class of symplectic (stabilizer or additive) codes 012011211, 
and there exists a simple class of CSS codes, in which a CSS code is specified by a 
classical code, say C, satisfying some condition on orthogonality. If we are content 
with correcting the errors of Hamming weight up to 8n/2, where 5n is the minimum 
distance of C, exponential convergence of fidelity immediately follows from the Gilbert- 
Varshamov bound for CSS codes [lQj and Sanov's theorem (Section |7|), which is central 
in large deviation theory [22 EHj • Nevertheless, this argument only ensures the security 
of the BB48 protocol of code rate up to 1 — 2h(5x + o~z), where h is the base-two binary 
entropy function, Sz is the raw bit error rate in transmitting a bit encoded into an 
eigenvector |0) or |1) of a Pauli operator, say, Z, and 5x is that with a bit encoded 
into |0) ± |1). Note that the argument of Shor and Preskill [S| can easily be modified to 
establish the rate 1— 2h(5x+Sz) for individual attacks (Section^. The aim of this paper 
includes to obtain, in a rigorous manner, the better achievable rate 1 — 2h((5x + 5z)/2). 
This rate seems essentially the same as the one previously mentioned in the literature |E] , 
[3 Eq. (38)], though these papers focused on other issues and gave no details on their 
codes achieving this higher rate. 

We remark that in comparing this paper's bound with the previously claimed ones, 
we should care about the meaning of 'error rates'. Namely, strictly speaking, we should 
distinguish the error rates in this paper from the 'error rates' in security proofs for joint 
attacks. Specifically, our 5x and 5z are parameters of the channel that represents the 
eavesdropper's attack on each digit whereas it is natural to define the 'error rates' for 
joint attacks as some fictional random variables which are associated with the much 
larger channel that represents a general joint attack; In jAppendix C of this paper, the 
'error rates' for joint attacks will appear as Pg{l) and P^'(l), where Pg* [P^>] is the 
type, i.e., the empirical distribution of the 'sifted' part, or an even smaller part, [£] 
of the sequence of random variables £ [£]. 

Results on exponential convergence of the fidelity of quantum codes (quantum error- 
correcting codes) have already been obtained by the present author with random coding, 
which is a proof technique of Shannon's, over general symplectic codes |24|I25| E5]. These 
previous results, however, ensure only the existence of reliable symplectic codes, and use 
of symplectic codes other than CSS codes in QKD seems to require a quantum computer 
to implement [Hj. Thus, this paper will provide a rigorous but elementary proof that 
the fidelity F n of some CSS codes of rate R satisfies 1 — F n < exp[—nE(R) + o{n)] for 
some function E(R) such that E(R) > whenever R < 1 - 2h((5 x + S z )/2). 

Using this bound and Schumacher's argument 28J, which related channel codes 
with quantum cryptography, we prove the security of the BB84 protocol. The proof 
to be presented below is basically a refinement of Shor and Preskill's. Whereas use 
of two-level systems is often assumed when symplectic codes or the BB84 protocol are 
discussed in the literature, most notions and results easily extend to <i-level systems 
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with an arbitrary prime d. Moreover, maybe contrary to one's expectation, our analysis 
in the case where d > 3 will turn out to be more tractable than in the case where d = 2 
except for the part treating channel estimation, so that we will begin with the easier 
case where d > 3. 

We neither touch on more practical issues such as the one on difficulty in preparing 
a single photon or how to implement (i-level systems, nor treat more elaborated models 
allowing basis-dependent attacks and so on jH]. 

We remark that there has already been a proposal to use two-way entanglement 
distillation protocols for QKD in order to increase the maximum tolerable error rate [29J, 
whereas the security of the BB84 protocol to be treated in this paper relies on simpler 
quantum error- correcting (CSS) codes, which can be viewed as one-way entanglement 
distillation protocols. The former class is still based on CSS codes, and would deserve 
further investigations. However, we will stay around the simple class of protocols in this 
paper in order to resolve the issues mentioned above. 

Attainable fidelity of codes given in this paper may also be interesting from a 
viewpoint of quantum computing since CSS codes are well-suited for fault-tolerant 
quantum computing [SOI EI]- Incidentally, the technique (permutation argument) in the 
existence proof of CSS codes in this paper can be incorporated into those of [2H 123 121] 
to show that the fidelity bounds of [2U 123 EH] can be attained by robust symplectic 
codes. 

The paper is organized as follows. In Section |2l the needed notation on CSS codes 
is fixed and a brief review on this class of codes is given. In Section El we establish 
the exponential convergence of the fidelity of CSS codes. In Section HI we apply 
Schumacher's argument to CSS codes to interpret a quantum code as a QKD protocol, 
and describe how this reduces to the BB84 protocol. Section reviews the method for 
channel parameter estimation in the BB84 protocol. In Section^ the security proof is 
completed. Sections [3 and E] contain discussions and the conclusion, respectively. Proofs 
of subsidiary results are given in Appendix A| In |Appendix B[ an even better achievable 
rate, 1 — h(5x) — h(5z), in the BB84 protocol is given. A proof of security of a simple 
BB84-type protocol for joint attacks is given in |Appendix C| The case of general joint 
attacks is treated in |Appendix C A nomenclature can be found in |Appendix D 



2. Calderbank-Shor-Steane Codes 



The complex linear space of operators on a Hilbert space H is denoted by L(H). A 
quantum code usually means a pair (Q,TZ) consisting of a subspace Q of H® n and a 
trace-preserving completely positive (TPCP) linear map 1Z on L(H®"), called a recovery 
operator; the subspace Q alone is also called a (quantum) code. Symplectic codes have 
more structure: They are simultaneous eigenspaces of commuting operators on H® n . 
Once a set of commuting operators is specified, we have a collection of eigenspaces of 
them. A symplectic code refers to either such an eigenspace or a collection of eigenspaces, 
each possibly accompanied by a suitable recovery operator. Hereafter, we assume H is 
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a Hilbert space with an orthonormal basis {|i)}* = o 1 , and d is a prime. Throughout, 
denotes Z/dZ, a finite field. We use the dot product defined by 

n 

(xx,...,x n )- (y h ...,y n ) = ^2 x^i (1) 

i=l 

where the arithmetic is performed in (i.e., modulo d ), and let C 1 - denote {y G F^ | 
Vx G C, x ■ y = 0} for a subset C of FJJ. 

In constructing symplectic codes, the following basis of L(H (X,n ) is used. Let unitary 
operators X, Z on H be defined by 

X\j) = \j-1), Z\j)=J\j), je¥ d (2) 

with to being a primitive ci-th root of unity (e.g., e l2n ^ d ). For u = (ui, . . . ,u n ) G F£, let 
X" and Z w denote X Ul <g> ■ • • ® X" n and Z Ul <8> ■ • • <g> Z n ™, respectively. The operators 
X^Z 1 ", u,w £ form a basis of L(H® n ), which we call the Weyl (unitary) basis [32J. 
Observe the commutation relation 

(X U Z W )(X U 'Z W ') = ou u - w '- w - u ' {X u> Z W ')(X U Z W ), u, w, u', w' G FJ, (3) 

which follows from = cjZX. It is sometimes useful to rearrange the components 
of (u, w) appearing in the operators X U Z W in the Weyl basis as follows: For 
u = (ui,...,u n ) and w = (wi,...,w n ) G W^, we denote the rearranged one 
((ui, wi), . . . , (u n , w n )) G X n , where X = Fa x F^, by [u, w\. We occasionally use 
another symbol N for the Weyl basis: N\ u , w ] — X U Z W and Nj = {N x \ x G J} for 
J G X n . 

A CSS code is specified by a pair of classical linear codes (i.e., subspaces of FJJ) 
such that one contains the other. The quantum codes to be proved to have the desired 
performance in the sequel are CSS codes of a special type, for which the pair is a classical 
code C and its dual C L with the property 

C C C L . 

This condition is equivalent to Wx, y G C, x ■ y — 0, and a code C satisfying it is said to 
be self- orthogonal (with respect to the dot product). 

Coset structures are exploited in construction of CSS codes. We fix some transversal 
(set of coset representatives in which each coset has exactly one representative) of the 
quotient group F^/C -1 . Identifying F^/C -1 and C L jC with their fixed transversals, 
respectively, we sometimes write, say, x G W^/C 1 - and v G C L jC for coset 
representatives x and v. 

Put k = dimC, and assume g\ , . . . , g K form a basis of C. The operators 

Z 91 ,...,Z 9 «, X 9l ,...,X 9K , (4) 

commute with each other by Q and C C C , so that we have a collection of 
simultaneous eigenspaces of these operators, which is called a CSS code. Specifically, 
put 

\<f> xzv ) = -L= ^> + v + x) (5) 
V \ C \ wee 
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for coset representatives i,z6 F^/C 1 - and v G C^/C. Then, we have 

Z 9i \4> xzv ) = uJ x ' gj \(p xzv ) and X g *\</> xgv ) = u z ' 9i \(j) xzv ) , j = 1, . . . , re. (6) 

It is easy to check that \(f> xzv ), x, z G F^/C , - L ,f G C L /C, form an orthonormal basis of 
H® n . In words, we have <i n ~ 2K -dimensional subspaces Q xz such that X 2 Q xz = H® n 
and is spanned by orthonormal vectors \<f> xxv ), v G C x /C, for each pair (x,z) G 
(F^/C^) 2 . The subspaces Q xz , (x,z) G (F^/C^) 2 , are the simultaneous eigenspaces of 
the operators in (JH), and form a CSS code. 

We will consistently use re and k to denote re = diniF d C and 

k = n - 2k = log d dim c Q M . (7) 

Decoding or recovery operation for this type of CSS quantum codes is simple. If we 
choose a transversal T of F^/C -1 , we can construct a recovery operator TZ for Q xz so 
that the code (Q XZ ,TZ) is iVj(r)-correcting in the sense of [33], where 

J(r) = {[x, z] | s G T and z G T}. (8) 

This directly follows from the general theory of symplectic codes [TTH EDI EH EHj on 
noticing that the operators in the Weyl basis that commute with all of those in (jlj) are 
m G C*- 1 , it) G C" 1 , due to (jHJ). The A^j(r)-correcting CSS code specified by C and 
T as above will be denoted by CSS(C, T). 



3. Exponential Convergence of Fidelity of Codes to Unity 

First, we treat the simple problem of establishing an attainable fidelity of CSS codes. 
We write P n ((xi, . . . ,x n )) for P(x\) ■ ■ ■ P(x n ) and P n (J) for XLeJ P n (x), where P is 
a probability distribution on X and J C X n . More generally, PQ denotes the usual 
product of two probability distributions P and Q, which is specified by [PQ](s,t) = 
P(s)Q(t). For a probability distribution Q on y x y, we denote the two marginal 
distributions by Q and Q: 

tey tey 
3.1. The case where d > 3 

The fidelity of the A^j(r)-correcting quantum code CSS(C, T) is not smaller than 
P n (J(T)) when it is used on the quantum channel that maps p G L(H® n ) to 
^2, xeX n P n {x)N x pN^.. This is true whether entanglement fidelity [2H] or minimum 
fidelity [33J is employed. This bound applies to general channels as well (Section (SJ. 
Then, noticing 

p n ( j(r) c ) < p n (r c ) + F(r c ), (9) 

where J c denotes the complement of J, which holds by the definition (jHJ) of J(T), we 
will prove the following theorem. 
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Theorem 1 Assume d > 3. Let a number < R < 1 be given. There exists a 
sequence of pairs {(C n ,T n )} , each consisting of a self- orthogonal code C n C FJJ with 
n — 2 diiiiF d C n > nR and a set Y n of coset representatives ofW^/C^, such that for any 
probability distribution P on X = F^ x F<j, 

P"(J(T n ) c ) < P"(r^) + T(T c n ) < d- nE ( R ™+°W 

where 

E{R,P,7) = mm{E*(R,P),E*(R,7)}, 

E*{R,p) = min[D(Q||p) + 2 1 11 - 2H(Q) - R\+], 
Q 

\t\ + = max{t,0}, H and D denote the entropy and the Kullback-Leibler information 
with logarithms of base d, respectively, and the minimization with respect to Q is taken 
over all probability distributions on F^. 

Remark 1. The function E(R,P,P) is strictly positive for R < 1 — 
2m&x{H(P),H(P)}. The code CSS(C n ,r n ) has rate 1 - 2dim ¥d C n /n > R. The 
code C^, as a classical channel code of rate not less than R' = (R+ l)/2, attains the 
error exponent E*(2R' — l,p) known as the random coding error exponent of the 
memoryless additive channel that changes an input a £ F d into a — b with probability 
p(b). 

Remark 2. Whereas P n (J(T n )) is a measure of the performance of quantum code 
CSS(C n , r n ), the probability P (r£) has its own meaning. It is an upper bound on the 
probability of decoding error for the key transmission, which is proved in |Appendix A 
In fact, the error probability is P^iY'^) where T' n = T n + C n , not P n (T'j l ) because adding 
a word e in C n to the key v + C n does not change it. 

Remark 3. That T' n is the effective correctable errors in QKD (Remark 2) may 
be interpreted as a manifestation of an inherent property, which is sometimes called 
'degeneracy', of CSS codes (more generally, of symplectic codes): Put V = T + C; Then, 
a CSS code CSS(C, T), as a quantum code, can correct the 'errors' N y , y G J(T') [TTH I2T)] 

(or e.g., 12511223). 

Remark 4- The function o{n) is explicitly given as 3(d — 1) log d (n + 1) + log d 2 + d 
by (HE} below. 

We prove the theorem by a random coding argument, which is analogous to that in 
[21], where the idea of universal decoding, i.e., minimum entropy (maximum mutual 
information) decoding of Goppa (e.g., [d HHj) was already used. For the present 
purposes, we want the codes C n also to be robust or universal in the sense that their 
structures do not depend on the distribution P, which characterizes the channel. To 
show this, we begin with the next lemma, which is a variant of Calderbank and Shor's ^01 
Section V] and says that the ensemble of all self-orthogonal codes is 'balanced'. 

Lemma 1 Assume d > 3, and let 

A = A (n - K) = {C C F™ | C linear, C C C ± , dimC = k} 
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and 

A x = {C e A | x e C 1 }. 

Then, for any u G F<j, there exists a constant T u such that \k x \ = T u for any non-zero 
word x G with x ■ x = u . 

Remark. The proof below is the same as that of Lemma 6 in except that the dot 
product is used here in place of the standard symplectic form. This is possible because 
F^ equipped with the dot product is an orthogonal space if d is a prime other than 2. 
The case of d — 2 is exceptional, and will be treated later. Lemma Q and the corollary 
below are true if the dot product is replaced by any orthogonal, symplectic or unitary 
form more generally. 

Proof. To prove \A X \ = \A y \ for non-zero vectors x and y with x ■ x = y ■ y = u, 
it is enough to show the existence of an isometry a (an invertible linear map a that 
preserves the 'product', i.e., that satisfies a(x) ■ a(y) = x ■ y for all x and y) on F% with 
y = a(x), but this directly follows from the well-known Witt lemma [33J ESJ HUH I37j . 
which states that any isometry that is defined on a subspace of an orthogonal space V 
can be extended to an isometry on the whole space V. □ 

Corollary 1 For x G W^, d > 3, 

| As | / d- K+d ^ if x ^ n 



|A| _ 1 1 if x = n . 

Proof. The case of x = n is trivial. Let S u = \{x G ¥^ | x ■ x = u,x ^ n }\ for 
u G ¥d- Counting the pairs (x, C) such that x G C x , x ■ x = u, x ^ n and C G A in 
two ways, we have S U T U < \A\(d n ~ K — 1). But S u > d n ~ d+1 — 1 (since x G S u can take 
arbitrary values in the first n — d+1 positions except (0, 0, ... , 0)), and hence we have 
(d n ~ d+1 — 1)T U < \/\\(d n ~ K — 1), from which the desired estimate follows. □ 

In the proof of Theorem ^ we will use the method of types, a standard tool in 
information theory. Here we collect the needed notions and basic inequalities regarding 
the method of types. With a finite set y fixed, the set of all probability distributions 
on y is denoted by V(y). The type of a sequence y = (yx, . . . , y n ) G y n , denoted by P y , 
represents the relative frequencies of appearances of symbols s G y in y: 

P,( g )= l{2|1 - Z -^^ = g}l , ,G^. (10) 
n 

The set of all possible types of sequences in y n is denoted by V n (y), and for Q G V n (y), 
the set of sequences of type Q and length n is denoted by Tq or Tq (y). In what follows, 
we use 

\V n (y)\ <(n + l) d -\ and VQ G P n Q>), \7%\ < d nH ^ Q \ (11) 

where d = \y\. Note that if x G y n has type Q, then p n (x) = Ylsey p{s) n ®^ = 
^-n[H(Q)+D(Q\\p)] £ Qr an y p ^ V(y), so that the probability that words of a fixed type 
Q G V n (y) occur has the bound 

P n (%) < d~ nDmp) . (12) 

yey n :P y =Q 
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Now we are ready to prove the existence of a 'balanced' code, which will turn out 
to be universal. Given a set C C FJ, put 

M Q (C) = \{x eC'\P x = Q}\ 

= ^ l[x G C and = Q], Q G V n (¥ d ), 

where 1[T] equals 1 if the statement T is true and equals otherwise, and put 

' ' ceA 

Then, we obtain the next lemma following the method in (cf. |39j). 

Lemma 2 For any n > 2 and k < n/2, there exists a code C in A = fiS n > K ) such that 

VQ G P„(F d ), Mq(^) < \V n (¥ d )\M Q . 

Remark. The list of numbers (Mq(C)) Q eV r Vd -,, type spectrum, so to speak, is a natural 
generalization of the weight spectrum (distribution) in coding theory. In fact, they are 
the same when d = 2. 

Proof: Regarding C as a random variable uniformly distributed over A and using 
Markov's inequality (e.g., :23 ), which states that Pr{X > a//} < 1/a for a positive 
constant a, and a random variable X that takes non-negative values and has a positive 
mean /x, we have 

Pr{3Q G P n (F d ), M Q (C ± ) > |P n (F d )| 1+e M Q and M Q > 0} 
< P^MqC^) > |P n (F,)| 1+£ M Q } < l/|P„(F d )| £ 

QeP„(F d ): Mq>0 

for any e > 0. Hence, Pr{VQ G P„(F d ), M Q {C L ) < \V n (¥ d )\ 1+£ M Q or Mq = 0} > 
1 — l/|7 7 n (F ( j;)| e > 0. Since e > is arbitrary, this implies the lemma. □ 

Corollary 2 There exists a code C in IK = /\- n,K > such that for any Q G V n i¥ d ), 

Q 7^ Po n ? 

Mq(C±) < \VJ¥ d )\d-^-\ 



I T n I 
I Q I 



Proof: We have 



M Q = i- ^ J] l[x G and P x = Q] 

' ' CeAxeF™ 



I A, 

xeF^P^Q 1 1 ceA 
xevn,:P x =Q 



\T$\d~ K+d -\ g^P n, (13) 



Reliability of CSS Codes and Security of Quantum Key Distribution 



10 



where the inequality is due to Corollary [H and hence the desired estimate. □ 

Corollary El says that there exists a code C G A such that (MQ(C ± ))Q £Vn ^ ¥d ~ ) is 
almost proportional to (M Q (¥2)) QePn ^ = (\Tfi \)Qev„(w d y [Clearly, the code C L in this 
corollary satisfies the Gilbert- Varshamov bound asymptotically] We will see that the 
code in Lemma El or Corollary El has the universality mentioned above. 

The decoding should also possess such universality. Note that for CSS codes, in 
theory, the design of a decoder is accomplished by choosing a transversal of F^fC 1 . 
Based on the idea of minimum entropy decoding, from each of the d K cosets of C 1 - in 
F^, we choose a vector that minimizes H{P X ) in the coset. To break ties, we use an 
arbitrarily fixed order, say a lexicographic order in F^. 

Proof of Theorem^ In the proof, V n {^d) is abbreviated as V n . Fix a code C of 
the property in Corollary El and a transversal V chosen as above. We will show C is 
the desired code. Let S n be the group composed of all permutations on {1, ...,n} 
and assume tt G S n , when applied to C or T, permutes all words in C or V as 
ir([xx, ■ ■ .,!„]) = [x^i), . . .,x^ n )]. Clearly, p n (n(T)) = p n (T) for any tt G S n and any 
probability distribution p on F^. For a technical reason, we will evaluate the ensemble 
average of p n (n(r)) over <S n , which equals p n (T), the original quantity in question. 
Specifically, put 

B ^ = jh E pxn c ) ( 14 ) 



7T66 n 



for p — P,P. We will show, for some polynomial f(n), that B(p) is bounded above 
by f(n)d- nE *( R > p \ which implies B(F) + B(P) < 2f(n)d- nm ^ E ' i ' R;p ^ E '^\ This, 
together with (J5)l. establishes the theorem. 

It was shown that an exponential fidelity bound holds for a 'balanced' ensemble 
of additive codes [2HE2]- ^o take the same approach as in [2HES], we show that the 
ensemble 7r(C) , it G S n , is almost 'balanced'. Imagine we list up all words in vr(C)" 1 " 
for all tt G S n . Clearly, for any Q G V n , there exists a constant, say Lq, such that 
|{/T G S n | x G ^(C) -1 }! = Lq for any word x with P x = Q. Then, counting the number 
of words of a fixed type Q in the list in two ways, we have \Tq\Lq = |5 n |MQ(C ,_L ). 
Hence, for any type Q ^ P ™, 

TF7 = ^v^r 1 ^ \-Pn\d- +d -\ (15) 

Pnl \ 1 q\ 

where we have used Corollary El We have proved the next lemma. 
Lemma 3 Put 

A y (C) = {neS n \ye tt(C) ± }. 



For y G F^ ; y ^ n , we have 

< \V n \d 



^ \T> \A~ K+d—1 



\<Sn\ 
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From (|14|) . we have 



«5 n 

TtO n Xt£1T(L ) 

E^) 11 "^,^^ 1 - (16) 



- (J 



Since x ^ 7r(T) occurs only if there exists a word «GFJ such that i?(P u ) < -ff(Px) and 
u — x G 7r(C) \ {0 n } from the design of T specified above (minimum entropy decoding), 
it follows 

|{7re«S n |x^7r(r)}|/|«S n | 

< \K- x (C)\/\S n \ 

u&™:H{P u )<H{P x ), u^x 

< \V n \d-( K - d+1 \ 
u&2'-H(Pu)<H{P x ) 

J2 \V n \\T$\d-( K - d+ V 

Q'eV n :H{Q')<H(P x ) 

< \ Vn \ d nH(Q>)-(.-d+l) (17) 
Q'eP n :H(Q')<H(P x ) 

where we have used Lemma H3 for the second inequality, and for the last inequality. 
Then, recalling (JZJ) and (|T2|) . and choosing the smallest integer k such that k > nR and 
K = (n — k)/2 is an integer, which implies nR < k < nR + 2, with repeated use of the 
inequality min{s + 1, 1} < min{s, 1} + min{t, 1} for s, t > 0, we can proceed from (jlfij) 
as follows: 



#(p) < P n (x)min| |P n |c/ nH ( Q ')-( K - d+1 ), 1 | 

< | Pn | ^ d -nD mP ) +d . mi J ^ d^'^- 1 , 1 | 

< | Pn | d~ nD ^ +d Yl mm{d- n ^- R ~ 2H ^ 2 , 1 } 

QeV n Q'€V„:H(Q')<H(Q) 

< \VS Y d~ nD ^ +d max d -n\l-R-2H { Q>)\V2 

Q'eV(¥ d ):H(Q')<H(Q) 

= |-pj2 ^ d -nD(Q\\p)+d d -n\l-R-2H(Q)\ + /2 

QeV n 

< rfVnl'maxrf-™^!^! 1 -^ 2 ^^/ 2 ] = d d \V n \ 3 d- nE '^ . 

Q 

Hence, we have 

B(F) + B(P) = jL [P" (Am + ^W) C )] 

< 2d d \V n \ 3 d- nm "^ E '^ Et ^ . (18) 
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Since \V n \ < (n + l) d 1 , we obtain the desired bound. □ 
3.2. The case where d = 2 

Calderbank and Shor ^0] proved the following lemma based on a result in coding theory. 

Lemma 4 Assume d = 2, n > 2 is an even integer, and < k < n/2 is an integer. Let 
A = {C C F™ | C linear, {l n } CCCC 1 , dimC = k}, 

and 

A x = {c e A | x e C L }. 

Then, there exists a constant Tq satisfying \A X \ = To for any x G with x ■ x = 0, 
i^O" and x ^ l n . 

Corollary 3 For i eFJ, 

|A X | f d-^- 1 if x ^ n and x ^ 1™ 
~]kj ~ 1 1 if x = n or x = l n . 

Remark. Trivially, |A X | = for all x with x • x = 1 since x • x = x • l n . We can also 
prove this lemma noticing a hidden structure of a symplectic space. Namely, letting 
F even be the set of of all words x with x • x = in F^, and noting that the additive 
quotient group F even /span l n , where span l n = {0 n , l n }, is a symplectic space equipped 
with the natural form (x + span l n ) ■ (y + span 1") = x • y, we can argue as in the proof 
of Lemma ^ 

In Theorem ^ due to Remark 3 thereof, we could have used T' or a subset T of T' in 
place of T for the purposes of evaluating the fidelity (and the probability of disagreement 
between Alice's key and Bob's due to Remark 2 to Theorem Q). Namely, we obtain 
Theorem □ with l d > 3' and l P n (J(T n ) c ) < P" (T c n ) +T" (T c n y replaced by l d = 2 and 
n is even' and 'P n (J(f n ) c ) < P"(r c n ) + c n )\ respectively, where f n = T n + l n , and 
using Corollary El instead of Corollary^ in the above proof of Theorem ^ In fact, with 
T replaced by T, the proof of Theorem ^ can read verbatim except the first inequality 
in (|T7|) . which should be replaced by 

\{neS n \x£ *(?)}]< |A U -,(C)|, 

and the other few words. Thus, the statement of Theorem ^ is true for d = 2 with 
T replaced by T and with the restriction of n being even, where the code C n always 
contains 1™. [For d = 2 and n odd, a geometric argument based on isometries as before 
shows that the rate 1 — 2h((5x + 8z)/2) is achievable for (d~x + o~z)/2 < 1/2; whereas the 
restriction (5x + 5z)/2 < 1/2 is not needed for n even. In this case, we use isometries 
on F^ that fix 1", with respect to the dot product, noticing that F^ = F evcn + span 1" 
and l n is orthogonal to F even in order to prove the existence of balanced codes; we use 
the minimum Hamming distance decoding in place of the minimum entropy decoding.] 
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4. Bennett-Brassard 1984 Quantum Key Distribution Protocol 

In the proof of the security of the BB84 protocol, Shor and Preskill used the 
observation of Lo and Chau jUJ], who upper-bounded the amount of information that 
the eavesdropper, Eve, could obtain on the key by the Holevo bound jS]. However, a 
similar observation using the Holevo bound had already been made by Schumacher [2BJ 
Section V-C], who directly related Eve's information with quantum channel codes. In 
this section, we will apply Schumacher's argument to CSS codes to avoid a detour to 
entanglement distillation. 

4-1. Quantum Codes and Quantum Cryptography 

Suppose we send a fc-digit key V + C G C ± /C encoded into |0xzv) £ Qxz? where 
we regard X, Z, V as random variables, and (X, Z, V) are randomly chosen according to 
the uniform distribution. Once Eve has done an eavesdropping, namely, a series of 
measurements, Eve's measurement results form another random variable, say, E. We 
use the standard symbol / to denote the mutual information Q Appendix D ). 
According to |2Hl Section V-C], 

I(V;E\X = x,Z = z)<S xz (19) 

where S xz is the entropy exchange after the system suffers a channel noise A/", Eve's 
attack S, another channel noise A/ 7 , and the recovery operation 71 = TZ XZ for Q xz at 
the receiver's end. Let us denote by F xz the fidelity of the code (Q xz ,7l) employing the 
entanglement fidelity F e [2H]- Specifically, 

F xz = F e {-K Qxz ,HN'SN) 

where ttq denotes the normalized projection operator onto Q, and BA(p) = B(A(p)) 
for two CP maps A and B, etc. Then, by the quantum Fano inequality (2H1 Section VI], 
we have 

S xz < h{F xz ) + (1 - F xz )2nR (20) 

where R = n^ 1 log d dim Q xz . Combining (|T9*j) and (J2Uj) and taking the averages of the 
end sides, we obtain 

/(V; E|XZ) < Eh(F xz ) + (1 - EF xz )2nR 

< h(EF xz ) + (1 - EF xz )2nR, (21) 

where E denotes the expectation operator with respect to (X, Z). Hence, if 1 — EF X z 
goes to zero faster than 1/n, then /(V; E|XZ) — ► as n — >• 00. We have seen that the 
convergence is, in fact, exponential for some good CSS codes, viz., 1 — EF X z < d~ nE+ °^ 
with some E > 0. This, together with ([21)1. implies 

/(V; E|XZ) < 2d' nE+o(n) [n(E + R) - o(n)], (22) 

where we used the upper bound — 2tlogt for h(t), < t < 1/2, which can easily be 
shown by differentiating tlogt (or by Lemma 2.7 of [17]). Thus, we could safely send a 
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key v + C provided we could send the entangled state \<f> xxv ) in (jSJ and the noise level 
of the quantum channel including Eve's action were tolerable by the quantum code. 

4-2. Reduction to the Bennett-Brassard 1984 Protocol 

To reduce the above protocol to a more practical one, namely the BB84 protocol, we use 
Shor and Preskill's observation that the probabilistic mixture of \4> xzv ) with x, v fixed 
and z chosen uniformly randomly over F^ / C L is given as 

l^r ^2 l&xzv) (4>xzv\ = ^ \w + v + x)(w + v + x\, (23) 

which can be prepared as the mixture of states \w + v + x) with no entanglement. Then, 
it is seen that sending the key v encoded into the state in (J23j) with x chosen randomly 
is exactly what is done in the following protocol of Bennett and Brassard, which is 
essentially the same as that in [U] except that a CSS code of a higher rate is chosen in 
Step (vii). 

In the protocol, introduced are three more sequences of independent and identically 
distributed binary random variables a, b, c, where a = (ai,...,a m ) and so on. The 
probability of occurrence of 1 for the bits of a, b, c will be denoted by p a , pt>, Pc, 
respectively, where p a ,Ph,Pc £ (0, 1). We put 

r = — -, (24) 

PaPb + (1 -Pa)(l -Pb) 

which is the expected ratio of the number of z's with Oj = hi = 1 to that of i's with a,i = 6j. 
In what follows, the Z-basis denotes the collection \ j), j e F^, the Z-basis measurement 
denotes the simple (projective) measurement {\j){j\}j- We also say 'measure Z J in 
place of 'perform the Z-basis measurement'. The X-basis, X-basis measurement, and 
'measure X' are to be similarly understood with the d orthogonal eigenstates of X. 
Specifically, the X-basis consists of 

|j)' = E^I0, ieF, 

BB84 protocol 

(i) The sender, Alice, and the receiver, Bob, do Steps (ii)-(iv) for each i = 1, . . . ,m. 

(ii) Alice chooses a random bit a^. She prepares her system in one state that is chosen 
uniformly randomly from the Z-basis if a^ is 0, or in one from the X-basis if a* is 1. 

(iii) Alice sends the prepared state to Bob. 

(iv) Bob chooses another random bit b,, and receives the state, performs the Z-basis 
measurement if b« is 0, or X-basis measurement if bj is 1. 

(v) Alice and Bob announce a = (ai, . . . , a m ) and b = (b 1; . . . , b m ), respectively. 

(vi) Alice and Bob discards any results where a« ^ bj. Alice draws another string of 
random bits c = (ci, . . . , c m ), and sends it to Bob through a public channel. They 
decide that those <i-ary digits with the accompanying q being will be the code 
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digits, i.e., will be used for key transmission with a CSS code. In the case where 
d — 2, it is assumed that the number of the code digits is even (if not, they divert 
one digit chosen in an arbitrary manner to estimation of the noise level in the 
following step). 

(vii) Alice and Bob announce the values of their non-code digits which are accompanied 
by q = 1, and from these and (= bj), estimate the noise level, and decide on a 
secure transmission rate, and a CSS code, i.e., a pair (C,T), to be used (the exact 
meaning will be clear in Section EJ. 

(viii) Alice announces the coset y + C , where y (= w + v + x) is the string consisting of 
the remaining code digits. In other words, she announces the coset representative 
x G F^/C 1 - of the coset y + C L , or equivalently, the syndrome (y ■ gjYjZi- 

(ix) Bob subtracts the coset representative x G W^/C 1 - from his code digits, y — e, and 
corrects the result y — x — e to a codeword u in C -1 , where he uses the decoder such 
that u = y — xifeGT. 

(x) Alice uses the coset (y — x) + C G C^/C and Bob uses m|Cg C L jC as the key. 

In Step (viii), x G F^/C 1 - means that x is chosen from the transversal of F^/C 1 - 
shared by Alice and Bob, which may be assumed to be T. In short, by the law 
of large numbers, about [(1 — p a )Pb + Pa(l — Pb)] m copies of states are discarded, 
about (1 — p c )[(l — Pa)(l — Ph) + Pa.PbI'm' copies are used for transmission of the key 
with CSS codes, the reliability of which was evaluated in Section El and the about 
p c [(l — p a )(l — Pb) + Pa,Pb]m remaining copies are used for estimation of the noise level, 
which will be explicated in Section ED 

In what follows, we will analyze the security of the protocol under the 'individual 
attack' assumption that Eve obtains data by an identical measurement on each 
particle. Especially, this assumption includes that Eve cannot change her measurement 
according to the value of a, or bj. A measurement is modeled as a completely positive 
(CP) instrument whose measurement result belongs to a finite or countable set (e.g., 
[121 E31 HHEE EE])- We also assume that the channel noises J\f, Af' are tensor products of 
identical copies of a CP map. Namely, we assume a state p G L(H) of each particle suffers 
a change p i— > YliAipA\, and Eve obtains i, or part of it, with probability Tr A\Aip as 
information on this particle. 

We remark that some quantities such as Z = z and the quantum code (Q xz , TV) are 
artifices that have been introduced only to establish the security, and are not needed for 
practice. For example, in the protocol, only half of the decoding operation 71 (the part 
where a half of the syndrome, viz., (x ■ g^JLi in © matters) is performed. This can be 
viewed as the decoding for the classical code C L (more precisely, the coset code y + C L ), 
and the decoding error probability of this classical code C -1 , together with 1 — EFxz 
for the corresponding CSS code CSS(C, T), has been upper-bounded exponentially in 
Theorem ^ 
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5. Estimation of Channel Parameters 

Roughly speaking, the BB84 protocol consists of CSS coding and estimation of channel 
parameters. This section explicates how the estimation works in the present case of 
individual attacks. 

Since Alice and Bob use the X-basis or Z-basis at random, the change suffered by 
a transmitted state, if it is assumed to be a Z-basis element \j) initially, is either A or 
A' = U~ X AU accordingly as the Z-basis (a, = hi = 0) or the X-basis (a« = hi = 1) is 
used, where A represents Eve's action plus the channel noises for each digit sent, and 
U denotes the Fourier transform 

U{p) = UpU ] 

with 

Note that the X-basis and Z-basis {\j)} are related by 

\j)' = U\j), jeF, 

We use the following well-known one-to-one map of Choi [42 J between the CP maps 
on L(H® n ) and the positive semi-definite operators in L(H® n <g> H 0n ): 

M n (V) = [Z®V](|*><*|), (25) 

where Z is the identity map on L(H lgln ), and |\&) is a maximally entangled state given 
by 

|*> = -S=S>®I0 

with some orthonormal basis B = {\l)} of H® n . Choi introduced d n M n (V) in matrix 
form to yield fundamentals of CP maps. 

In the present case, we assume \l) = \h) <E> ■ ■ • ® \l n ), I = (Zi, . . . , l n ) 6 and let 

\%) = 4rY,\ l )® N y\ 1 ^ y exn - ( 26 ) 

V ti l£¥ „ 

These In vectors form an orthonormal basis of W® n ® W® n (e.g., [IB]). Recall that 
a symplectic code has a collection of subspaces {Q^} and recovery operators for 
each £, where £ corresponds to the syndrome and has been written as xz for CSS 
codes. It is known that an Xj-correcting symplectic code (Q^,TZ^), used on a channel 
V n : L(H® n ) — > L(H lXln ), has entanglement fidelity, averaged over all £ with equal 
probabilities, not smaller than Yly&j Pv n (y)'- 

E e F c (7r Q5 ,7^V n ) > Y,PvM, ( 27 ) 
y eJ 

where Py n (x) is associated with the channel V n via 

P Vn (x) = (V x \M n (Vn)\* x ), xer, (28) 
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and Eg is the expectation operator. This bound is implicit in |7] as explained in 
Appendix A the bound is tight for the largest choice of J |27j . 



Our channel to be analyzed has the product form V n = Ai n , and hence Py n also 
has the product form 

Here, we have assumed Alice and Bob do not use the values of (= bj) for coding, 
which implies that M. can be regarded as the mixture 

M = (1 - r)A + rA'. 
Note, especially in the case where d = 2, P A and P4/ are related by 

PAs,t)=P A (t,s), s,te¥ d , (29) 
since X and Z switches with each other by IA. More generally, we have 

PA'(s,t) = P A (t,-s), s,te¥ d , (30) 

which is proved in |Appendix A| 

The quantity P A (s, t) is the probability to obtain (s,t) with a measurement 
{\^(s,t))(^(s,t)\}(s,t)ew 2 on the system in the state Mi (.4). However, this seems hard 
to implement, so that we divide the problem. We measure either s or t per sample of 
the state Mi (A). To do this, note that 

Z®Z- 1 \^^ t) )=u s \^^ t) ) (31) 

for (s,t) G F^. This implies that measuring eigenvalues of Z <g> Z , i.e., performing 
the measurement {J2 te¥d \^(s,t)){^(s,t)\}s& d in the state Mi(A) gives the result s with 
probability P A (s). Measuring eigenvalues of Z ® Z" 1 is still imaginary, but measuring 
eigenvalues of Z (S> / and then I ® is completely simulated by sending one of the 
eigenstates of Z at random (according to the uniform distribution) through A and 
measuring Z^ 1 at the receiver's end, and -Pa(s) equals the probability that the difference 
/ — I' between the sent digit / and the received one I' is s. For a natural estimate of 
-Pa(s) needed in the BB84 protocol, we use the relative frequency of the appearances of 
s G Fd in the sequence of the observed differences k — l^. In words, we use the type Py of 
U for the estimate of P4, where the random variable U is the sequence of the differences 
li — 1[ and we use only the digits k and l\ accompanied by (a», bi, q) = (0, 0, 1). Noticing 
(jnOJ), we use the similar estimates, say, Pyv, for P4, which is obtained from the sequence 
W of the differences l\ — li of those U and l[ accompanied by (a^, bj, q) = (1, 1, 1). 



6. Security of the Bennett-Brassard 1984 Protocol 

In this section, finally, we will establish the security of the BB84 protocol for high 
rates using Theorem ^ This should be done in terms of the random variables involved 
with the protocol, namely, Alice's sent digits rj A = (77^, . . . , 77^), Bob's received digits 
77 B = (rjf, . . . , 77^), C, X, V, a, b, c, E, and T defined below. 
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In the BB84 protocol, we should consider the possibility of Eve's obtaining 
knowledges on the key from the data sent through the public channel, i.e., X, C, a, b and 
c and the non-code digits used for the noise estimation (in our scheme, T is determined 
from C, so that it need not be sent). For the purpose of analysis, we convert (a, b) into 
(a, d = b — a), where we regard a, b and d = (di, . . . , d m ) as vectors over F 2 . Let a' 
denote the subsequence aj of a QAppendix D| ), where T = {i | q = and d« = 0}, the 
set of the positions of the code digits (with the one element thrown away if d = 2 and 
n = |T| is initially odd); let a" denote the subsequence ajc where T c = {1, . . . , m} \ T; 
we let Ya [Yb] denote the string of publicly announced non-code (estimation) digits 
of Alice [Bob], which is a subsequence of rj A [ry B ]. Denote the 7-tuple of random 
variables (C, a", d, c, T, Ya, Y b ) by S. One criterion for security that takes S into account 
is /(V; EXa'|S = s) ~ for (almost) every definite value of S = s. The rationale hereof 
is that we should evaluate the security for any definite values of as many parameters 
as possible. To show that our scheme fulfills this criterion, we modify the argument in 
Section HH] as follows. 

The argument in Section 14.11 is applicable to the above protocol if we add the 
conditioning on a' and S to the mutual informations /. Specifically, we begin with 
/(V; E|X = x, Z = z, a' = a', S = s) < S xz ^ a ^ s instead of ([19)1 . Note that what we have 
evaluated above is the fidelity Exz a '^xz,a',s (and the decoding error probability for key 
transmission) of the codes used on the channel A4® n , where S xz ,a',s and F xz ,a',s are the 
obvious replacements for S xz and F xz with conditioning on a' = a' and S = s, and E Y 
denotes the expectation operator with respect to a random variable Y. Then, in this 
case, we can replace (}2*2"j) with 

/(V; E|XZa', S = s) < 2d~ nE+o{n) [n{E + R) - o{n)} (32) 
using the bound 1 — EFxz a ',s < d~nE{R,p,p)+o{n) j n Theorem ^ From the chain rule of 
mutual information [TZH2U], we nave 

J(V; EXZa'|S = s) 

= /(V; XZa'|S = s)+ /(V; E|XZa', S = s), 

where J(V;XZa'|S = s) = due to the mutual independence of V from X, Z,a' given 
S = s, and hence, 7(V; EXa'|S = s) < /(V; EXZa'|S = s) = J(V;E|XZa',S = s). 
Combining this with (JB2J), we obtain 

/(V; EXa'|S = s) < 2d~ nE+o{n) [n(E + R) - o{n)\. (33) 

Note that n is also a random variable, which is a function of m and S = s. 

Now it is time to clarify the meaning of what is stated in Step (vii) of the BB84 
protocol in Section HJ Recall our assumption p&,Ph,Pc £ (0, 1) and (J24f . which imply 

< r < 1, 

as well as that the channel A4 = (1 — r)A + rA' stands for Eve's action, which implies 

Pm — (1 — r )-fU + r -fU an d Pm = (1 — f)PA J r r PAi where the operation f on probability 
distributions is defined by 

q f (t) = q(-t), t E ¥ d . 
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Let Alice and Bob choose a moderate number E > as a wanted speed of 
convergence of the amount of the possible information leakage /(V; EXa'|S = s) as well as 
a sufficiently small positive constant e. They use the estimate Py of Pa and the estimate 
Pw of P4 in Sectional Let Q consists of triples (a,p, q), where < a < 1, and p, q are 
distributions on F^. With a triple (a,p,q) G Q, we associate a probability distribution 
on {0, 1} x Frf, which we denote by Q a , P , q and specify by Q a , P ,q{0,x) = (1 — a)p(x) and 
Qa,p,q0-, x ) = aq(x), x G ¥ d . Let A m [A^J denotes the number of samples used for the 
estimation of Pa [Pa], and put v = \ rn + X' m . 

In Step (vii), they choose a rate R such that E(R, (1 — a)p + aq f , (1 — a)q + ap) > E 
for any triple (a,p, q) G Q such that ||<5 a ,p,g — Qa^/^Pu.PwII 1 — £ > anc ^ a c °de of rate R 
and fidelity not smaller than 1 — d'~ nE ^ R ' Pc,Pc ' +0 ^ n ' for any channel C, the existence of 
which is ensured by Theorem ^ [The function o(n) is explicitly given in Remark 4 to 
Theorem^] 

For simplicity, we restrict our attention to the almost sure event where vjm — > 
[(1 — Pa)(l — Pb) + Pa,Pb]p c > as m — >• oo, which directly follows from the strong 
law of large numbers applied to (dj,q), i = 1,2,... (e.g., jEf)- For any m, if 

\\Q r ,p^,T^ ~ < ?A{»/i/ I Pu,Pwlli - £ ' then e (R,Pm,Pm) > E as desired. Owing to (H2J, 
the probability (conditioned on specific values of d, c) of the event of estimation failure 
where \\Q r — = - Qa'^p^PvJi > £ is upper-bounded by 

—vmin II n Z)(q||Q ==)+o(m) 

d " ^-4^-4 11 1_ , (34) 

and this goes to zero with probability one in our almost sure event. 

Hence, the above version of the BB84 protocol is secure in the sense that with Eve's 
attack modeled as a tensor product form of identical copies of a CP instrument, for any 
such instrument, either 'the mutual information between the key and the eavesdropper's 
obtained data, together with the decoding error probability for the key transmission, is 
upper-bounded by rf- nS + ( n ) ; where E is positive' or 'the probability that the detection 
of eavesdroppers fails is exponentially close to zero'. Especially, reliable and secure key 
transmission is possible with this protocol at any rate below 

(1 - p c ){\ ~p a -pb + 2p a Pb) 

■ [1 - 2 max{#((l - r)PA~ + r^f), H((l - r)PZ + r !%)})], (35) 

where the rate indicates the ratio of the length of the key to the number of uses of the 
channel, rather than to the code length of the incorporated CSS code. 

7. Discussions 

The achievability of the rate [1 - 2h(S x + <$z)]/4, where 5 X = ^(1), &z = P~a(1) < 1/2 
may be implicit in though their error rates may differ from our 5x and Sz- This 
bound can be understood to be obtained by using the exponent Eq V (R, P m ) = 
m \-2h(Qm+m)<R orQdH^DM^II^) in P lace of E(R,P^,P^) of Theorem [TJ 
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Specifically, this follows from the Gilbert- Varshamov bound for CSS codes [TU] and 
Sanov's theorem in large deviation theory (e.g., [221 [2B]) o r ([12)1 . [For the present 
purpose, we need only the upper bound on the probability in question, so that the half 
of Sanov's theorem, viz., ()12|). is enough.] Shor and Preskill |H] also mentioned a higher 
rate, which corresponds to [1 — 2h((5x + 5z)/2)]/A, i.e., (j33|) with p a = Ph = p c = 1/2 or 

[1-2#(Pm)]/4 (d = 2). (36) 

This rate is established by Theorem^ (Section^ rigorously. Another achievable rate is 
presented in |Appendix B| Several other achievable rates (or tolerable error rates) have 
been mentioned in the literature (e.g., [7J Eq. (38)], [1SJ US]) without details on their 
code structures. 

8. Conclusion 

In summary, we have established achievable rates in the BB84 protocol. This improves 
the one based on the Gilbert- Varshamov bound for CSS codes, which may be implicit 
in Shor and Preskill's security proof. Specifically, in this paper proved was the 
existence of a version of the BB84 protocol with exponential convergence of the mutual 
information between Alice and Eve to zero for any rate below the number in ([35)1 . 
Several issues lacking in the literature were pointed out and resolved (cf. criticisms 
of Yuen jlHl Appendix A] on other security proofs). Namely, the existence of CSS 
codes robust against fluctuations of channel parameters was proved, and the decoding 
error probability for key transmission, together with the mutual information, was shown 
to decrease exponentially. Especially, it was proved that codes of 'balanced' weight 
spectra (Corollary |2J) achieve the coding rate 1 — 2h((Sx + 8z)/2) for d = 2, where 
5x = PjSX),8z = -fU(l)- A proof of the security of a BB84-type protocol for joint 
attacks is given in |Appendix C| 

In a seemingly less practical but theoretically interesting setting where Eve's attack 
is known to Alice and Bob beforehand, the optimum rate has recently been obtained in 
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Appendix A. Proofs of Subsidiary Results 

Al. Proof of the fidelity bound $H\) 

The bound directly follows from the argument in the two paragraphs containing 
Eqs. (18)-(24) of [7J Section III-B] for d = 2. The entanglement distillation protocol 
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they used is the same as Shor and Preskill's jB] and can be interpreted as follows 
for our purposes. Given a bipartite state M n (V„) = [X ® V n ](|^ r )(^ r |), where \^) = 
d~ n ' 2 Y^£ y \C,y) ® |£)2/)> where {\£,,y)} y is an orthonormal basis of Q^. Alice performs 
the local measurement {rig} on the first half of the system, where IL^ denotes the 
projection onto the code space Q^, and Bob performs the recovery operation for the 
iVj-correcting code <2g knowing that Alice's measurement result is £. Since Alice obtains 
each result £ with the equal probability, the lower bound of [7j serves as that on the 
average entanglement fidelity of the code (Q^,TZ^) in question. 

The bound (|2T|) for d > 2, together with its tightness, follows from the formula 
for 'discrete twirling' ([50J and references therein) and the properties of the symplectic 
codes j2Zj- It is remarked that a similar bound was given by the present author [23} 
Lemma 5]; we can rephrase this bound in terms of the entanglement fidelity F e using 
the relation 

K{K + l)-^! " F^K-HtA)} = 1 - V. v {<p\A{\<p){<p\)\<p), 

where A is a CP map on \-(H) with dimiJ = K, and E v denotes the expectation 
operator with tp — \tp) regarded as uniformly distributed over all unit vectors in H |51j . 
though the resulting bound has the form 1 — F' e < (K + l)K~ x J2 y e.J c ^v„(2/)> which is 
weaker than (J27|) by the asymptotically negligible factor of (K + 1)K~ X . 



A2. Proof of $W 



First, observe, by the definition of Mi in (|23|) and that of \^> y ) in (f2T)|) . that -P/i(.s,t) can 
be written as 

2 



P A (s,t) = \d^ 1 TTA\X s Z i 



s,te¥ d 



for a CP map A{a) = J2i AicrA\. Then, for A' = W l AU, we have 
P A r(s,t) = \d~ lr Tr(tf AiUy 'X s Z l \ 2 

i 

= \d- 1 TrA\UX s U j <UZ t U j < 

i 

= \d~ lr TrAlZ- s X 

i 

where we used the relations UXW = Z^ 1 and UZW = X for the last equality. Since 
Z~ s X l is the same as X t Z^ s up to a phase factor, u st , by the commutation relation 
XZ = ujZX or (jHJ), we have P A >(s,t) = P^it, —s), as promised. 



A3. Proof That P (r^) Is the Decoding Error Probability for Key Transmission 

The probability in question has the form [pi ■ ■ ■ p n ] (T) , where pi are probability 
distributions on F^ and T C F^ [in the present case, pi are identically equal to 
P], while the zth transmitted digit suffers the probabilistic change described by a 
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channel matrix, say, Qi{yi\Xi) with Pi(zi) = d 1 J2x-ew d Qi( x i ~ z i\ x i) as already argued 
in Section Putting q^z^Xi) = Qi{x { - z^Xi), [qi ... q n ] {z x , . . . , z n \x u x n ) = 
qi(zi\xi) ■ ■ ■ q n (z n \x n ), and recalling the decoding procedure in Steps (viii)-(x) of the 
protocol, we see the decoding error probability is given by d~ n J^eF™ ' ' ' Qn](T\x) = 
[pi ■ • 'Pn](T), as desired. 



Appendix B. Minimum Conditional Entropy Decoding 

In this appendix, a decoding strategy for CSS codes in the BB84 protocol that results 
in an improvement on the achievable rate, especially when r = 1/2, is proposed. 

Define fi m and p! m by p, m = \{i | 1 < i < m, (a», b i5 q) = (0,0,0)}| and 
^'m = |{* I 1 — i — m > ( a i)bj,Q) = (1,1,0)}|, where m is the number of the whole 
sent digits. In the proposed scheme, Alice and Bob use min{/i m ,/i^} digits with 
(aj,bj,Cj) = (0,0,0) and the same number of digits with (aj,bj,q) = (1,1,0) for CSS 
coding discarding excessive digits if they exist. If r = 1/2, the loss of digits in this 
process is small by the strong law of large numbers. 

In the conventional decoding schemes for CSS codes in the BB84 protocol [HI IB] 

or that in Section Bob does not use the information as to whether a^ = bj = or 

3i — bj = 1 has occurred; he considers the channel as the mixture of A and A' = U^AU. 

To improve on the achievable rates in ()35|) for r = 1/2, we employ a decoding strategy 

that uses the information on a» (= bj), minimum conditional entropy decoding, so to 

speak. Specifically, we associate each word xx', where xx' denotes the concatenation of 

x G F^ and x' G and x [x'} is composed of the digits for which a^ = [a* = 1], with 

the conditional entropy 

, , H(P X ) + H(P X ,) , , 

hc(x, x') = y x) 2 1 x \ (B.l) 

and choose a word that minimizes the conditional entropy h c in each coset in F^/C ± to 
obtain a transversal T. The quantity h c ( Xj 0C j Cclll be written solely with P x and P x /, so 
that we will occasionally denote h c (x,x r ) by h c (P x , P x >). 

Theorem 2 Let a number < R < 1 be given. There exists a sequence of pairs 
{(C v , T v )} u£ ^, each consisting of a self-orthogonal code C u C with 2v — 2 dimC^ > 
2vR and a set T v of coset representatives of¥^ u /C^ such that for any pair of probability 
distributions Pq and P\ on X , 

P»P»(J(T' U ) C ) < P^ u p7(T'c) + P^pT(T'c) < rf -2^c(iJ,P ,Pi)+oH ? 

where 

= r„ + C u , 

E C (R,P ,P 1 ) = min{£* (R, Po, 1\),E*(R, %,T X )}, 

E*(R, Po , Pl ) = min [D(Q \\p ) + D{Q x \\p x ) 

Qo,Qi 

+ \l-2h c (Q ,Q 1 )-R\ + }/2, 
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and the minimization with respect to (Qo,Qi) is taken over all pairs of probability 
distributions on F^. 

The proof is similar to that of Theorem ^ In this case, we pair up digits in a sequence 
xy = (xi, . . . , x v , ... , y u ) as (xi, yi), . . . , (x v , y v ) to regard it as a sequence from X u , 
X = Fd x Fd. Then, to evaluate the fidelity of the codes, we use the existence proof of 
'balanced' codes in Section EJ which is clearly valid if we use types in V V {X) in place of 
types in V n (¥d), and the similarly modified permutation argument for sequences in X v . 
By this theorem with P = P A and P 1 = P u -i m , the rate (1 - p c ) [1 - H(A) - H(A))/2 
is achievable with the BB84 protocol. The result extends to an arbitrary rational r; for 
example, for r = 1/3, we can use types in V u (¥^). 

Appendix C. Security against Joint Attacks 

In this appendix, we will prove the security of the following modified BB84 protocol 
against any joint attack through this paper's approach. Especially, an exponential 
upper bound on the information leakage to Eve, which holds for finite m and n, will be 
established. This modification to the protocol is essentially due to JlHj, and its main idea 
is as follows. In the protocol, about p^Pbin digits with = bj = 1 are used for estimation 
of the level of errors caused by the Weyl unitary Z, the same number of randomly chosen 
digits with a« = bj = are used for estimation of those caused by X, and the about 
[(1 — p a )(l —Pb) —p&Pblm remaining digits with aj = bj = are used for CSS coding. In 
this paper, we assume that the parameters p a = Pr{aj = l},Pb = Pr{bj = 1} G (0, 1/2) 
are independent of m in order that the law of large numbers (or any other refined law 
such as Sanov's theorem) is applicable to {(a«, bj)}; in jlB], it is assumed p&,Pb depend 
on m so that r in goes to as m goes to infinity (seemingly only for the purpose 
of analysis of security); Hayashi j22] described an idea for a possible proof of security 
of this protocol using the codes in Theorem ^ (in fact, the modification for d — 2 in 
Section l3~2j) for small enough r. 

Let S n be the symmetric group on {1, . . . ,n} as before. For the proof for joint 
attacks, we should be more specific about the expression of the key. Given a self- 
orthogonal code C, the key, which is actually a string of k = n — 2k digits, is encoded 
into C^/C. The encoding map, fc,h u -,h k , can be given as fc,h u -,h k ■ ■ ■ ■ > a k) ^ 
C + (J\h\ + . . . + (Tfc/ifc, where {hi, . . . , h k }, together with a basis of C, gives a basis of 
C L . Thus, Alice and Bob specify their cryptographic code by (gi, . . . , g K ; hi, . . . , hk', T); 
in this appendix, we always assume gi, ■ ■ ■ ,g K form a basis of C. We use the syndromes 
X', Z' G F^ for the code C 1 - and the coset representatives X, Z for F^/C -1 interchangeably 
since they are in one-to-one correspondence with each other once the generator gi, . . . ,g R 
of C is fixed: XH T = X', where H T = [gj ■ ■ ■ g£]. In places where we want to distinguish 
a random variable from its realization, we use the sanserif or bold font for the former 
and the italic font for the latter as in the text. 



Modified BB84 protocol 
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(i) The sender, Alice, and the receiver, Bob, do Steps (ii)-(iv) for each i = 1, . . . ,m. 

(ii) Alice chooses a random bit a». She prepares her system in one state that is chosen 
uniformly randomly from the Z-basis if aj is 0, or in one from the A-basis if a, is 1. 

(iii) Alice sends the prepared state to Bob. 

(iv) Bob chooses another random bit bj, and receives the state, performs the Z-basis 
measurement if bj is 0, or A-basis measurement if bj is 1. 

(v) Alice and Bob announce a = (ai, . . . , a m ) and b = (b 1; . . . , b m ), respectively. 

(vi) Alice and Bob discards any results where aj ^ bj. Let T si f t = {i | a^ = bj} (the 
remaining places) and /x = |T sift |. [In the case where d = 2, it is assumed that [i 
is even; if not, they disregard another place chosen randomly from {i | a, = bj}.] 
Put n = f fi — 2\{i | a^ = bj = 1}|. If n < or n = /x, they abort the protocol. To 
divide T si f t = {i | aj = bj} into two parts, i.e., that for CSS coding T, and that for 
estimation for the noise level T si f t \T, they do the following. From {i | a» = bj = 0}, 
Alice randomly chooses (according to the uniform distribution over all possible 
choices) (fi — n)/2 = \{i | aj = bj = 1}| places where digits are to be used for 
estimation of the level of errors caused by the Weyl unitary A, and tells the choice 
to Bob. The set of the remaining n places with aj = bj = constitute T. The digits 
with aj = bj = 1 will also be used for noise estimation. 

(vii) Alice and Bob announce the values of their estimation digits thus chosen (which 
will be Ya and Yb below) and from these, estimate the noise level, and decide on a 
secure transmission rate, and a CSS code (gi, . . . , g K ; hi, . . . , T) to be used. 

(viii) Alice chooses a random permutation it from S n according to the uniform 
distribution, and tells the choice to Bob. 

(ix) Alice announces the coset y + tt(C ± ) , where y (— w + v + x) is the string consisting 
of the remaining code digits. In other words, she announces the syndrome X' = 
(y ' ft{9j))j=ii which is in one-to-one correspondence with the coset representative 
x E F^/tt(C ± ) of the coset y + n(C L ). 

(x) Bob subtracts the coset representative x G F2/vr(C J -) from his code digits, y — e, 
and corrects the result y — x — e to a codeword u in 7r(C)- L , where he uses the 
decoder such that u = y — xifeG 7r(r). 

(xi) Alice uses a = f^ c)Mhl): ... Mhk) [y-x+n(C)} and Bob uses a' = f^ c)Mhl)> ... Mhk) [u+ 
tt(C)] as the key. 

Let a TPCP map A : L(H® m ) — > L(H® m ) represents the whole action of Eve (plus 
the other environment). This means that there exists a decomposition (CP instrument) 
{^4j}i such that A = ^2iAi, where Ai are trace-nonincreasing CP maps, and when the 
initial state of the system of the whole sent digits is p, Eve obtains data E = i with 
probability Tr^4j(p) leaving the system in state Ai(p) /Tr Ai(p). Here, the decomposition 
may depend on the other random variables available to Eve. However, the proof relies 
on the assumption that A does not depend on a, b, which is needed to use Lemma 
below. Recalling the interpretation of the Z <g> Z^ 1 measurement in Section El and using 
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the U ® [7-invariance of where U = d~ x l 2 Y\ le¥d u^ l \j)(l\ and U = U' 1 , and the 
relation X £g> X\^^) = a/l^^j)) in addition to (jSU), we notice that Alice's sent digits 
rj A = (rj A , . . . , r] A ) and Bob's received digits r] B = (ry B , . . . , 7y B ) are mathematically 
equivalent to the results of the following fictional measurements. We imagine that Alice 
and Bob have a bipartite system in state M m (A), and observe Oa] , i = 1, . . . , m, and 
0£\ i = 1, . . . ,m, respectively, where = J®^- 1 ) ® O ai <g> J® (""-<) e L(H® m ). Here, 
Oo is the 'observable' Z to distinguish the eigenvalues of Z (more precisely, the Z-basis 
measurement {|z)(z|}j=o)> and 0\ denotes A, i.e, {\i)' (i\'}i=o ■ Then, rj A and ry B are the 
same as the sequence of the measurement results of Alice and that of Bob, respectively, 
for d = 2 (and this is true if each digit t G of t] A with a,; = 1 is replaced by 
—t for d > 2). Moreover, we can relate rj A and ry B to the classical random variables 
Ci)> * = 1, . . . , m, which are drawn according to P4 defined by (J28|) as follows. We 
have £ To = T7j o — r]j for the subsequence £ To of £ = £ x • • -£ m ( |Appendix D ), where 



T = {z I a< = bi = 0}, and C Tl = ^ ~ ^ where T i = i' 1 I a * = b * = !}■ 

In what follows, we evaluate the fidelity, F(T B . fufl ^ defined below, of the 
symplectic code underlying the protocol, which is, in essence, the CSS code 
(<7i, . . . , g R ; hi, . . . , hk, T). As before, the fidelity can be written in terms of the classical 
random variables £, £• [In fact, the underlying code is the combined system of this 
CSS code CSS(C, T) and a trivial symplectic code, which conveys no information 
(i.e., protects only a one-dimensional subspace of H®*™ - ™)), where each code does 
its job independently. The trivial code is the collection of simultaneous eigenspaces 
of {0$' I i G {l,...,m}\ T}, where oif G L(H®( m -™)) is obtained from 0^ = 
® Q a . ® /»("»-<) e |_(H® m ) by neglecting J's on the systems for T. The combined 
code is an N , , 2(m-n)-correcting symplectic code. Here, the appropriate permutation 
on {1, ... , m} is to be understood.] 

Let Ya [Yb] denote the string of publicly announced estimation digits of Alice 
[Bob], which is a subsequence of r/ A [?7 B ]; assume, say, the first half of Ya [Yb] consists 
of the digits accompanied by a^ = bj = and the latter half is for aj = bj = 1. Recall 
T C {1, . . . , m} denotes the set of the positions of the code digits. Eve can have access 
to a, b, X', S' = (T sift , n, n), Y A , Y B , T, k, C = {g x , . . . , g K ; h x , . . . , h k ; T) and tt. In what 
follows, with m > and the realization S' = (T S if t , /1, n) arbitrarily fixed, we will upper- 
bound 7(<x; EX'YAY B 7rTabC|k, S' = (T sift , /1, n)) and the probability of key disagreement 
Pr{cr 7^ cr f \S' = (T sift , /i, n)} simultaneously. 

In step (vii), Alice and Bob choose the code in the following manner. With a 
sufficiently small constant 7 > chosen beforehand, they set 

R(n, /i, Ya, Yb) = 1 — 2 max{if (Pe ),H(P C )}-2 7 , (C.l) 

^cst Sest 

where £ est and £ est represent the first half of Ya — Yb and the second half of 
Yb — Ya, respectively, calculate the minimum k of the possible code size k' with 
k'/n > R(n, /j,,Y\,Yb), set k = k, and choose a code (gi, . . . , g K ; hi, . . . , hk', T) from 
the shared list of codes satisfying the property of Corollary El Note that £ est = £ T ,, 
where T' C {i | a^ = bj = 0} stands for the places for the estimation, and £ est = £ T 
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with Ti = {i | aj = bj = 1}. 

Let F k>{TMn) be {S^ 1 E. e5 „ P [^C cod J\^s'=(T M n^ J K T + C )]}> where 

Code = and Ccode = Ct Then ; 

1 " *fc,(W,n) < B(P^ dJk=kiSI=(TMn) ) + B(P CcoJk=fe)S , =(W]n) ), (C.2) 

where -B(Q) = |5n.| _1 X^eS ^[ 7r (L + The part bounding B{p) in Section El 

(the last paragraph in Section I3.1|) . as well as its modification for d — 2 in 
Section 13 .2[ applies verbatim to the present case, where we want to upper-bound 
B(Pc\k=k,s'=(T sii t,M,n)) for G = Code, Code, if we replace p n } B(p) in O and 

d -nD(p\\Q) in (JJgj) by P G | k _ A)S , =(TriftiA4>n ) i( Y Aj Y B )=(y A ,y B ), S(P G | k=fc) S' = (r slft!At ,n),(Y A ,YB)=(yA,yB)) 

and PG|k=fc,s'=(T sift , M ,n),(YA,Y B )=(yAyB)(' 7 Q) ; respectively. Thus, we have 

jB ^ jP €codcl k = fc .S'=(T sift , M ,n) i (Y A ,Y B )=(yAyB)) 
< l^n| P C od Jk=fc,S'=(T sift , A1 ,n),(Y A ,Y B )=(yA,y 3 )^' 7 Q) 



»codc I 

QeV n 

-)/\ n—k 

■ min-i 



i{ J2 d nH ^-^~\l} 

Q':H(Q')<H(Q) 

< d d \V n \ 2 Pr { R C d e = Q\^ = k,S' = (T sift ,/i,n), (Y A , Y B ) = (Y A ,Y B )} 

Q- r.. 

. ^-n|l-R(n lAt ,y A ,y B )-2H(Q)| + /2 

for any fc and (Y a ,*b) with Pr{k = fc,(Y A ,Y B ) = (>a,*b)|S' = (T sift , /i, n)} > 0, as 
well as the counterpart for C codo . Substituting (jC.l|) into these estimates, applying 
the operation A i-> ]C(y A ,y B ),fc Pr {( Y A, Y B ) = (Ya.,1b),I< = fc|S' = (T siit , fi,n)}A, and 
combining them with (|C.2j) . we have the following bound on F( Ts . {ufl ^ = X])L Pr{k = 
fclS' = (T sift ,/i,n)}F fe ,(r sift , M) n): 

1 _ F (T si{t ,»,n) 

<d d \V n \ 2 J" Pr{P f = QandP f = Q'\S' = (T sift , //, n)} 

* * Scodc ^cst 

QeP„,Q'eP (M _ n)/2 

. rf -n[|H(Q')-^(Q)+7l + ] 

+ rf d |Pn| 2 V Pr{P^ =QandP t = Q'|S' = (T aift , /i, n)} 

* * S code S est 

QeV n ,Q'eV^- n)/2 

. rf -„[|Jf(Q')-if(Q) +7 |+] 

< M d \V n \ 3 \V (n+f , )/2 \ 3 d- nE ^ a \ (C.3) 
where a = (// — n)/{n + n) , 

E 1 ( 1 , a) = min {(1 - a)" 1 [^(a) £ ] 2 /(2 Ind) + | 7 - 6(e)\ + }, 

for s = 
= { -x\og d (x/d) for 0<x<l/2 

1 for 1/2 < x, 
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and 

A/a(l - a) 

9W = r ^ n =■ 

Va + vl — a 



To see the last inequality in (jC3|) . we need the next lemma with 3^ = and 
N = (fi + n)/2 as well as the continuity of entropy, i.e., that \\Q — Q'\\i < s implies 
\H(Q) — H(Q')\ < 9(e) [T7]; we have upper-bounded each summation on the right- 
hand side by Y^ £ 2|P A r| 2 d _w ^ a ^ 2 /( 21nd )<i~ n ' 7 ~ 6,< ^' + using the lemma, where e ranges 
over {e \ 3Q G V n ,Q' G 7 ? ( M -n)/2) \\Q — Q'\\i — £ }, which is not greater than 
2\V n \\V N \ 3 d- nEl ^' a l 

Lemma 5 (Random Sampling) Let a finite alphabet y and positive integers n and 
N, < n < N, be given. Put a = (N — n)/N. Assume that Y is an arbitrary random 
variable taking values in y N and we choose n symbols from Y uniformly randomly. 
Denote the resulting string byY' (arranged in an arbitrary order, which does not matter) 
and the string of the remaining digits by Y". Then the probability that ||Py — Py"||i — £ 
is upper-bounded by 2\V N (y)\ 2 d- N ^ a ^ 2 ^ 21nd \ 

Proof. For a fixed realization y of Y, denote the conditional probability 
Pr{P Y , = Q and P Y » = Q'|Y = y} by W(Q,Q'\y) (W is a classical channel). For 
now imagine that Y is the sequence of independent random variables identically 
distributed according to Q G V N (y), and let (Q N x W)[A], or the Q N x Im- 
probability of A, denote the probability of the event A under this condition. The 
Q N x ^-probability that ||P r — P Y ||i > e'/y/l - a or ||P Y » — P Y ||i > e'/s/a is 
upper-bounded by 2\VN(y)\d~ Ne ' 2 ^ 21nd ^ by large deviation theory, i.e., by (jI2]L and 
Pinsker's inequality D{Q\\Q') > \\Q - Q'\\{/ (2\tid) [Ej. In words, the probability 
that || Py — P y 1 1 1 < e'/Vl — a an d || Py" — Py||i < e'/y/a is lower-bounded by 
1 — 2|7 :, Ar(3^)|^ _Are ' 2//( ' 21nd ^ By the triangle inequality, this immediately implies (Q N x 
W)[\\P y , - P Y »||i < (1/v 7 " + l/Vl^a)e'} > 1 - 2\T N (y)\d- N£ ' 2 /( 2lnd \ Note that 
W(-,-\y) is the same for all y G y N of a fixed type, and hence, VQ', Q", W(Q', Q"\y) < 
(Q N x W)[Py = Q' and P Y » = Q"]/Q N (T£ ), where Q = P y , for any y. Since for any 
Q G PnW, Q N (T£) > ir^yT 1 (m fact, max PePiV {y) Q N (T P N ) = Q n (Tq) (T7j), 
we have Pr{||P Y > - P Y «||i > l/VT^)e'\Y = y} < 2\V N (y)\ 2 d- N£ ' 2 ^ 2lnd l 

Noticing this bound is independent of y, we obtain the lemma. □ 

Remark. In the above application of this lemma, Y' and Y" are the code digits 
and estimation digits, respectively. This ensures that P Y / and P Y » are close with 
high probability. In the binary case where 3^ = {0, 1}, upper bounds of the form 
exp{ — (N — n)Ke 2 }, with some constant K, for the probability that P y (l) — Py"(1) = £ 
has been known for long j^Sl and most security proofs for QKD use this type of bounds 
(e.g., Appendix M, e-Print], jlHl Lemma 1], Eq. (25)], jSH Appendix, Property 16], 
|55| p. 589, Exercise 12.27], jH2j). An advantage of the above lemma is the applicability 
to the case where \y\ > 2. 
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The rest of the task is to relate the fidelity bound in (|C.3|) to the mutual information 
as we did in Section El for individual attacks. In the present case, we initially have 

I(<t; E|X'Z'Y A YB7rTabC'k, S' = (T sift ,n,n)) 
< 2d- nEl ^ a)+ ° iM [n(E 1 ^,a) + 1) -o x (n,/x)] 

with a negligible function oi(n, /i). Note that cr is independent of X', Z', Ya, Yb, 7r, T, a, b 
and C conditionally on k (i.e., S'" = (X', Z', Ya, Yb, 7r, T, a, b, C), k and cr form a Markov 
chain in this order given S' = (T s ;f t , /i, n) since the probability of cr conditioned on 
k = k, S'" = s'" and S' = (T s ;f t ,/i, n) is uniform over F^. By the chain rule for mutual 
information, again, this implies 

/(cr; EX'YAYBTrTabC'I^S' = (T sift , //, n)) < d~ nE ^^ + °^ 

[cf. f|HH|) ]. where o(m) can be explicitly given as 31og d 2 + <i + 6((i— 1) \og d m + \og d [m{^ + 
1)]. This simultaneously upper-bounds Pr{cr ^ <r'|S' = (T sift , fi, n)} since the argument 
in Section A. 3 also extends to the present case trivially. The bound is valid for m finite 
and is also meaningful in the limit of m large since a goes to r in ()24)1 almost surely 
by the law of large numbers applied to the stochastic process {(aj,bj)}j. In fact, for 
the almost sure event where a G [ro, r\] for all large enough m, where ro < r < ri, the 
bound is true with E^j, a) replaced by 

E 2 (j,r ,r 1 ) = mm 2 [Ge 2 /(2\nd) + | 7 -0( e )|+]. 

Here, G = mm ro < a < ri (l — a) _1 [g(a)] 2 can be made positive so that E 2 ('j, ro, ri) is 
positive by choosing r , r 1 and 7 appropriately. 

This protocol achieves the rate (1 — p a — Pb)[l — 2 max{i/(P4), H(PX)}} for an 
individual attack A, as can be checked by modifying the argument in Section |U1 more 
easily. 

Appendix D. Nomenclature 

Several symbols often used in this paper are listed below. 
Strings, Probability Distributions and the Weyl Unitary Basis 

• o* = (o,...,o)eF3, i» = (i,...,i)eF3 

. X = ¥ 2 d = ¥ d x ¥ d 

• [u, w) = ((«i, wi), ... , (u n , w n )) e X n for u = (ui, . . . , u n ),w — (wi, . . ., w n ) G 

• N [u>w] = X U Z W , where X u = X Ul ® ■ ■ ■ ® X Un and Z w = Z Wl ® • ■ ■ ® Z^" 

• P^: type of string defined by ffT77f) 

• V(y): the set of all probability distribution on y 

• V n (y): the set of all types of sequences in y n [ V n (y) C V(y) ] 

• [PQ](x,y) = P{x)Q{y)_ 
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• St- subsequence Sj 1 ■ ■ ■ Sj n of si • • • s m , where T = {ji ■ ■ • ,j„} C {1, . . . , m} and 
h < • ■ • < in- 

Standard Notation in Information Theory 
. Entropy: = - P(y) log,, P(y) 

• Kullback-Leibler information: P(P| |C}) = J2 y ^y P(y) l°Sd 

• Mutual information: For random variables X and Y, /(X; Y) = D(Pxy\\PxPy), 
where Pw denotes the probability distribution of W for an arbitrary discrete random 
variable W; /(X; Y|Z = z) = P(Pxy|z=^| \Px\z=zPy\z=z) , where the probability that 
W = w conditional on the event Z = z is denoted by Pw\z=z( w ), an d I(X;Y|Z) 
stands for the expectation £ 2 Pz(z)/(X; Y|Z = z). 

• h(x) = —x log 2 x — (1 — x) log 2 (l — x), < x < 1 
CSS Codes 

• T: transversal (set of coset representatives in which each coset has exactly one 
representative) of W^/C 1 - 

• CSS(C, T): iVj( r )-correcting CSS code made from a self-orthogonal C with basis 
gi, . . . , g K , where J(T) is given in (JHJ) 

• Letters v,x,z as coset representatives (after 0): 
v + C e C ± /C, 

x + c 1 e wye 1 , z + C L G F™/^ 

Parameters in the BB84 protocol 

• m: total number of d-axy digits transmitted in the BB84 protocol 

• n: code-length of CSS code 

• k = dim Fd C 

• k = n — 2k = log d dim c Q xz (Q xz : quantum CSS codes) 
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